Posted
by
ScuttleMonkeyon Friday January 15, 2010 @02:52PM
from the call-bruce-willis dept.

coondoggie writes to mention that the US Department of Energy is planning to set up a new "National Energy Sector Cyber Organization" in order to protect the national bulk power electric grid. For the low, low cost of $8.5 million they will help integrate smart grid technology with the electric grid, speed research, and establish new policy and protocols. "It is paramount that smart grid devices and interoperability standards include protections against cyber intrusions and have systems that are designed from the start (not patches added on) that prevent unauthorized persons from gaining entry through the millions of new access points created by the deployment of smart grid technologies, Hoffman stated."

Recently I saw that a bunch of stimulus funds were handed out [arst.ch] for bringing the nation's electrical grid into the 21st century. A big part of this is using computers to control various parts of the grid, from utility scale substations down into the home with smart meters and smart appliances.

Anytime you take infrastructure and connct it to computers you are opening it up to a whole new set of threats as well as bringing privacy implications.

Here's a couple great [wired.com] articles [arst.ch] that go into the details better t

Systems that control key infrastructure for your nations production and commerce should be on an completely separate network. End of story really.

For the information that needs to be distributed over the internet, make it eyes only transferred from the control network to the internet connected systems (double workstation setup). Then your only concern is direct espionage.

I agree that it should be, however it is completely cost prohibitive to get a separate network run to the smart meter in everyone's home. Even running a separate network to all the utility substations would be challenging.

In reality, VPNs run all over the public internet, and can be extremely secure. DOD even allows parts of their classified networks to run over the commercial internet, provided they have the correct encryption gear at each end. The DOD gear is really expensive and tough to get setup,

Was the Interstate Highway System too expensive? It seems to me that this is something our country needs and could actually create jobs in a depressed economy. A "private" network to homes across the country could serve many useful government purposes (voting/motor vehicle registrations/census).

If the pipe was limited to government interaction alone, and all other data activity continues to run over current commercial pipes, then it would make sense.

As for them monitoring the data, if the "monitoring" process was open, that is, it could be scrutinized by the public, then it would not be bad.

For some people, they may be so poor that they use the government pipe for Internet. If they're going to use a service paid for by taxpayers, it's the responsibility of the government to make sure the pipe's n

Yes, I want a government owned network piped into my house without my permssion.

That would make me a happy taxpayer.

mmmmhmmmmm

I love you, government. I would marry you, if you were a woman (so as to fit within the proper constitutionally defined government definition of marriage as "one man and one woman"). But you don't so that would be wrong.

I agree that it should be, however it is completely cost prohibitive to get a separate network run to the smart meter in everyone's home. Even running a separate network to all the utility substations would be challenging.

The smart meter is already connected to a network of hard-lines which links it to every other smart-meter in its area, as well as the substations those houses draw power from.
How cost-prohibitive is that?

This is absolutely true...you have to look at it end-to-end. However, if you can get all the internet communication to be over the VPN, that leaves an impossibly small vector for penetration from the internet (just the server with its one VPN port could be attacked).

Obviously (or maybe not so), you'd need to also think about the security of all the devices out there...what happens if one gets physically compromised, etc., but getting them so they're not accessible to the public from the internet is a grea

Yeah, I totally agree with this. Hopefully that will be exactly the recommendation that these geeks make to the government. We simply cannot afford to take chances with the security of our power grid. If it's at all possible for hackers to knock it out, they will.

Future terrorism will be aimed at hollowing out national governments, to basically make them unable to control their territory. (This is already happening now in Mexico, Nigeria, Iraq, etc.) To do this, attacks disrupt the very services that pro

They ARE. I serviced DR systems for serveral power companies. by LAW there is not even an internet connection allowed in the BUILDING (let alont the room) housing the grid switch control systems, not even a modem.

I was frisked each time entering, and had to go through 2-3 layers of security to get in the room. Even then, i could only touch the DR equipment once an employee physically disconnected it (for hardware repairs), or they had to enter all the keystoks personally, all i could do was watch and ins

One of the better systems I've seen for doing this was one implemented for a company that had a private network that was disconnected fron the Internet just for embedded devices:

The internal network for reporting on embedded stuff had one machine that polled the embedded controllers and pulled data from them. The corporate intranet had another box which took the data and moved it to a Web server. Connecting the two was a serial cable, which was fast enough at 19200 BPS to move the small datasets, and a cr

How about decentralizing the "brittle power" system more in the first place, so you have "intrinsic security" so it degrades slowly under attack rather than rely heavily on "extrinsic security" through guards or passwords for controlling some central system? For example, renewables such as solar panels and fuel cells at each home would make energy production in a country difficult to interrupt intrinsically (assuming there was no single poi

I agree purely with what you say, they must take into consideration the bruce willis factor, he might not be around next time to save the day, and we still have so many bad guys out there.Seriously though, I do hope they do a better job this time around then last time to maintain the integrity of the power grid

This was covered in "Live Free or Die Hard". Hello!!! What if Timothy Olyphant were to go crazy one day and believe he is still on the set of Live Free or Die hard? We might actually be taken over by cyberpunk terrorist. God help us....

It's pretty obvious to anyone familiar with computer networking that making the the electric power grid "smart" would make it more vulnerable to attack. After all, if the grid's control apparatus isn't online, there's no way to hack into it in the first place. I realize there are other advantages to a smart grid but to claim that making the current "dumb" grid smart would also make it more secure seems disingenuous at best.

Word on the street is that the current grid is already dangerously insecure and extremely vulnerable to digital attacks. You're right that the "smarter" we make it the more vunerable it is, but we've got to do something to fix it already, so we might as well get some of the huge benefits of making it smarter.

No,this is simply integrating PoE technology to smartgrid devices. It has absolutely NOTHING to do with managing the grid, grid switching systems, or other critical data that makes the grid stable (that's already a segregated system, actually even more secure than the ATM networks).

This is about policies for ensuring your home grid monitoring meter can access real-time info about local grid conditions, and to report usage information over the grid to the power company. It is NOT in any way about connectin

most federal electric policy seems to be designed to make price gouging practical. from a certain point of view, the problem with last big electrical speculation frenzy is that the power transmission lines could not support the manipulation, so the big push was for more power transmission lines

so only authorized persons should have your data. think of the political and ideological advantages of knowing exactly what you were us

Yeah, that's totally the right idea. I just scanned through the PDF and it seems more geared towards desktop PC use, and it even talks about the gateway running on a commodity PC. Rather, I think we need to think more about cheap, single use computers. Take something small like a gumsitx board, put two ethernet ports on it and load OpenVPN and a key onto it, then plug in the existing smart device into one port and the existing internet connection into the other port...suddenly the device can't be seen (a

Firewalls and VPNs stop direct remote access from unauthorized parties. But "commodity PCs" could have rogue programs that enable thru it access to unauthorized people. Computer connected, any password typed captured, and most usual security is defeated.

Run your own OS, don't use the hard drive shipped with the PC without wiping it, and do unit testing with the hardware long before it's ever deployed to see if the BIOS runs everything in a VM. There was a virus reported a while back here on/. that ran Windows Vista in a VM, and there was a manner in which to detect it by detecting that the OS was running in a virtual machine.

Personally, I'm glad that someone is finally getting around to dealing with the proper education of our grids. Just yesterday I was hearing all about education cuts in my state due to budget shortfalls, and how student achievement in my state was going to suffer as a result.

It is heartening to hear that though some facets of our educational system will have to tighten their belts, the dumb grids will still pop out the other side of their educational experience so much smarter (and deployed!) than before

Now, if it was *really* that simple, don't you think it would have already been done that way? The problem is, it's not that simple. For a variety of reasons (both technical, and non-technical), electrical systems can't just be disconnected from the grid. Too many other systems rely on this connection. And, even if it could, would that really be the answer? With more and more members of industry talking about smartgrid technologies, does it really make sense to do it this way? Then, of c

What are you talking about? Ten years ago, less than 20 percent of power stations were accessible remotely via any other method than analog modem via ISDN backtrace and caller ID. Now theres a web interface to every one of them, that any idiot can bust into and shut off a city.And I mean that.

The breakage is recent, and can be rolled back. Roll it the hell back.

As always, the biggest problem here is the one that you're showcasing strongly: the "its just too HARD" modality. Yeah, its really hard. Do it

we are expected to have a secure smart grid? How hard is it to give some real powers to the Cybersecurity Czar so he's something more than a scapegoat, and get him to stay put long enough to complete his New Employee Orientation? We can't even do that, yet we're supposed to find a way to secure the smart grid?

Has the current Cybersecurity Czar even made a statement about the recent hacking invasion from the Chinese government?

Has the current Cybersecurity Czar even made a statement about the recent hacking invasion from the Chinese government?

Hell no. A former C-level executive at Microsoft [signonsandiego.com] is not going to touch that, it's an international incident that he helped cause [bbc.co.uk]. Look instead for smoke and noise about some other happy horseshit. It's bizarre how he could squeak past the employment interviews. Any background check should have turned up his employment at Microsoft, so either none was done or there is some serious co

I'm surprised the current administration hasn't called the whole smart grid idea off. After all, won't it put tens of thousands of meter readers out of work? That probably hasn't occurred to them yet, but you just wait. Please, someone think of the meter readers!

If we all have our mini solar, wind, tidal, geothermal, chemical generators and trickle storage systems then we'll be smarter than the grid. If the grid remains smarter than us, then I guess we're not going to be very effective protection. Perhaps if we could just figure out how to stop people from trying to destroy our lives, our grids would endure, and we could avoid their crude oil and behavior.

A nation's electrical infrastructure is everywhere and largely unguarded - there's really nothing stopping a single, determined individual from doing an extreme amount of *physical* damage to a power company via sabotage.

Theoretically, there's no reason I can't:

- Sneak into the woods with a gas angle grinder and start cutting guy wires on hydro towers. Cut down a few >300KV lines feeding a city and they'll have no power for days.- Break into unmanned substations and open oil drains on transformers. Or sh

- Not pissing the fucking world off such that they *want* to do this shit. (Yeah, cliche, whatever.)

So what got Al-Quaeda all interested in blowing up US buildings to begin with? It's not about Afghanistan or Iraq (those were post-911, after all). How was the US pissing off the Arab world? Oh! It's because the US was friendly with the Israel. Israelis are obviously deplorable monsters, as you can tell from their religion and their tendency to shoot back when you launch a bunch of rockets at them from acros